CVE-2009-1275
Apache Tiles 2.1-2.1.1 - Cross-Site Scripting via tiles:putAttribute and tiles:insertTemplate JSP Tags
Title source: llmDescription
Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://issues.apache.org/struts/browse/TILES-351
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/34657
Vendor Advisory x_refsource_confirm
http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913
Scores
EPSS
0.0281
EPSS Percentile
84.9%
Details
Status
published
Products (3)
apache/tiles
2.1.0
apache/tiles
2.1.1
org.apache.tiles/tiles-core
2.1 - 2.1.2Maven
Published
Apr 09, 2009
Tracked Since
Feb 18, 2026